CertAccord – The Genesis of a Simple Enrollment Solution for Linux

It comes as no surprise to anyone working with Microsoft products that the support and inclusion of operating systems other than Windows is often a second thought – if best. No where is this more prevalent than with Certificate Services – one of the most common questions during the design and deployment is “Well Mark, how do we include all of our Linux servers?”. Unfortunately the answer is either, use the standard manual web enrollment site (Certificate Authority Web Enrollment) that hasn’t been touched by Microsoft since Windows Server 2003, or use an EXPENSIVE third party solution. Many of these third party solutions are $100,000 – $1 Million. Yes, that’s right, a million bucks!

So for years I looked in earnest for a solution that would enable organizations to easily integrated these disenfranchised clients into their PKI. I didn’t want to have to deploy a massive, over-reaching solution that included complexity, infrastructure and costs that were outside the scope of issuing and managing certificates. I also wanted an intelligent solution that enabled behavior similar to Auto-Enrollment for Windows, meaning true set-and-forget configuration of SSL server certificates that required no monitoring or manual renewal. It also had to have the ability to enroll and manage more than just SSL certificates – what about IPSEC? Client Authentication certificates for WiFi authentication? VPN? Code Signing?

The solution didn’t exist, so I helped found Revocent, and its flagship product is CertAccord. It is the first solution that meets all of my requirements – it helps to be part of the technical design team! Membership does have it’s privileges. So what is unique about CertAccord?

  • It is a bolt on solution for Certificate Services – No Active Directory or CA changes are needed. This means you can deploy CertAccord without affecting your existing infrastructure or worries about impact
  • It uses your existing templates! That’s right, CertAccord essentially translates your AD templates and performs enrollments directly against them
  • Once a certificate is enrolled on a client, it will automatically be monitored and renewed, all without manual intervention, reporting, monitoring. It’s Set-and-Forget.
  • The trust of your PKI is part of the install process for the CertAccord agent – you no longer have to figure out how to get the Linux machines to trust your PKI
  • You can enable automatically enrolled certificates as well as optional certificates. So Linux administrators can either received automatically pushed certificate enrollments or select which templates they want to enroll for.
  • Enrollments for the Linux administrators is as simple as running the agent command with a simple purpose – such as “web server” or “ipsec”. They don’t need to know the AD template name, enrollment server details, key size, key usage OIDs, etc…
  • Had to be configurable and deploy-able into production in only a few hours. I hate long, weeks long, complex deployments. I also know how hard it is to get an AD schema update approved in some environments!
  • Supports Red Hat Enterprise Linux and Ubuntu Server Linux

All of this is managed with a central Management Bridge as part of CertAccord. So you will have complete visibility of all enrolled Linux machines. Since the enrollments are sent directly to the CA using DCOM/RPC, the enrollments look like any other enrollment activities. You will be able to manage, revoke and report on certificates on your CA just like you do today.

All of this comes at a significantly lower price point. Since we don’t have the complexity and infrastructure requirements, our price point is considerably smaller than the closest solution. We are purposely staying away from licensing on a per-certificate basis. We want you to use certificates and don’t want the financial impact of accounting and paying a per-certificate price to affect your budgets. In fact, our licensing plan is incredibly simple, a flat rate price (all inclusive) up to 500 nodes. A small per-node price above that for larger organizations.

This is just the initial release of CertAccord and we have many new and exciting features on our road map. The benefit of having worked with customers around the world and in a variety of markets has afforded me with a unique perspective on certificate enrollment needs.

We are actively looking for key launch partners and offering significant discounts and dedicated technical support to ensure our customers deploy and use our product as easily as possible. If you are interested, don’t hesitate to reach out to me here, or contact us at sales@revocent.com.

 

About Mark B. Cooper aka "The PKI Guy"

President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.